PRIVACY AND COOKIES POLICY

CHAPTER I
GENERAL PROVISIONS

  1. This Privacy and Cookies Policy (hereinafter referred to as the “Privacy Policy“) applies to the “Park Hotel Šiauliai” located at: S. Lukauskio str. 5A, LT-76236 Šiauliai, (hereinafter referred to as the “Hotel“). The Hotel’s Privacy Policy regulates the processing of Personal Data of guests, SPA and restaurant visitors, other individuals who visit the Hotel, its territory and use the services offered by the Hotel (hereinafter referred to as the “Guest“), as well as the processing of personal data of the hotel’s suppliers, contractors, other business partners, and job applicants at the Hotel. By submitting their Personal Data, individuals confirm that it is accurate and complete.
  2. The Privacy Policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter referred to as “GDPR” or “Regulation”), the Law on Legal Protection of Personal Data No. XIII-1426 of 30 June 2018 of the Republic of Lithuania (hereinafter referred to as “ADTAĮ”) and the Law on Electronic Communications No. IX-2135 of 15 April 2004 of the Republic of Lithuania.  

CHAPTER II
DEFINITIONS USED IN THE PRIVACY POLICY

  1. Personal Data – any information relating to a data subject, whose identity is known or can be directly or indirectly established.
  2. Data Processor – a natural or legal person, public authority, agency or other body to whom the Personal Data are disclosed.
  3. Data Controller – ŽŪK “Baltas Lašas”, company code 169282439, VAT payer code LT692824314, address: Dvaro str. 2A, Meškalaukio village, LT-39309 Pasvalio district.
  4. Data Subject – a natural person whose personal data is processed for the purpose specified in the Description.
  5. Data Subject’s Consent – any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her.  
  6. Supervisory Authority – the State Data Protection Inspectorate.
  7. Data Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  
  8. Hotel Website – www.parkhotelsiauliai.lt.
  9. Profiling – any form of automated processing of Personal Data whereby the Personal Data is used to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.  
  10. Other terms used in the Description correspond to the terms used in the ADTAĮ and the Regulation.

     

CHAPTER III
PRINCIPLES OF PERSONAL DATA PROCESSING

When processing Personal Data, the Company follows these principles:

  1. The Company processes Personal Data only for lawful purposes defined in this Privacy Policy.
  2. Personal Data is processed accurately, fairly and lawfully, in compliance with the requirements of legal acts.
  3. The Company processes Personal Data in such a way that the personal data is accurate and, if it changes, is constantly updated.
  4. The Company processes Personal Data only to the extent necessary to achieve the purposes of Personal Data processing.
  5. Personal Data is stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data were collected and processed.  
  6. Personal Data is processed in such a way that appropriate technical or organizational measures are used to ensure adequate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.  
  7. When processing personal data, the Company anonymizes the data as far as technically possible.
  8. The Company’s manager, by order, appoints a responsible person who introduces the Hotel’s employees to this Privacy Policy and the personal data processing rules established therein.

CHAPTER IV
PERSONAL DATA PROCESSED BY THE DATA CONTROLLER

PROCESSING OF PERSONAL DATA WHEN A DATA SUBJECT RESERVES A ROOM IN THE HOTEL

  1. When a person reserves a room in the Hotel and personally fills out a guest card upon arrival at the Hotel, the Hotel, for the purposes of administration, accommodation, accounting and debt management, recovery, as well as for the purpose of keeping statistics, in order to fulfill the contract to which the Data Subject is a party, as well as fulfilling the Data Controller’s legal obligation under the Tourism Law of the Republic of Lithuania to register accommodation service orders (reservations), processes the person’s name, surname, date of birth, signature, passport, identity card or other document confirming the person’s identity number, the country that issued the identity document, the citizenship of the accommodated person, the address of residence, the length of stay at the Hotel, the name and surname of a minor child arriving with parents or guardians, the name and surname of the arriving spouse. A person filling out a guest card submits a valid identity document for identification. If a person does not provide the personal data provided for in this part (provides only part of it or provides incorrect personal data), the Hotel has the right not to provide accommodation services to the person.  
  2. For the purposes of security and order, in order to pursue the legitimate interests of the Data Controller and when such a legitimate interest is to ensure the internal order and security of the Hotel in the territory, the Data Controller also collects the license plate number of the Guest’s car with which the Guest arrived for recreation at the Hotel. The Guest indicates the car’s license plate number in the guest card being filled out or in another place indicated by the Data Controller.  
  3. For the purpose of contacting the person regarding the Hotel reservation or other issues related to registration and staying at the Hotel, in order to provide a preliminary or VAT invoice, for the purpose of fulfilling the contract to which the Data Subject is a party, the Company processes the Guest’s telephone number and e-mail address. If the Guest does not provide the specified personal data, the Hotel will not be able to provide the Guest with the necessary information and properly provide services.  
  4. The name and surname of minor children arriving with tourist groups, the name of the organization with which the child arrived are collected to ensure the safety of children living in the Hotel.  
  5. When the Data Subject makes a Hotel room reservation by telephone, for the purposes of accommodation, administration and accounting, in order to fulfill the contract to which the Data Subject is a party, the Company processes the name, surname, telephone number, e-mail address of the person making the Hotel room reservation, the number of adults and minor children intending to arrive at the Hotel, and the length of stay. The Company provides information related to the reservation and its confirmation, sends invoices and advance invoices for payment for services by the telephone and e-mail provided by the Data Subject, and the billing address. If the Guest does not provide the mandatory personal data provided for in this part (provides only part of it or provides incorrect personal data), the Hotel has the right not to confirm the room reservation.
  6. An external reservation system, such as the website www.booking.com, may collect as much as indicated above or more personal data. The managers of external reservation systems are responsible for such processing of personal data. The Company is not responsible for how the Data Subject’s personal data is processed by the managers of external reservation systems. Therefore, before submitting any data in external reservation systems, it is recommended to familiarize yourself in detail with the personal data privacy policy of the managers of external reservation systems.

PROCESSING OF PERSONAL DATA FOR THE PURPOSE OF EMPLOYMENT IN THE COMPANY

  1. Potential Hotel employees (candidates, job seekers) provide the Company with the following personal data: resume, name, surname, phone number, email address, other personal data. If a potential employee contacts the Hotel through social media, such as LinkedIn, the social network manager may process the person’s interest in the Hotel’s advertised positions for the purposes set out in the social network manager’s policy. The Data Subject’s personal data submitted when applying for a specific advertised position or submitted by the individuals themselves on job posting websites is processed for the purpose of conducting the selection. It is considered that when a candidate applies to the Hotel for the purpose of employment and submits his/her personal data to the Company, or when a person looking for a job submits a resume with his/her Personal Data to job search websites, the candidate agrees to the processing of personal data for the purpose of conducting the selection. If the candidate is not offered a job, after the selection for a specific Hotel advertised position is completed, the candidate’s data is destroyed, except if the person gives consent to store the data for the purpose of other future Hotel employee selections.

PROCESSING OF PERSONAL DATA WHEN A DATA SUBJECT VISITS THE WEBSITE

  1. For the purpose of improving the services provided, when a Data Subject visits the website, the company processes the IP address, the operating system version and the parameters of the device used to access the content/goods, the session usage time and duration, the query terms entered on the website, and any information stored in cookies set by the device.

     

CHAPTER V
RECIPIENTS OF PERSONAL DATA

The Data Controller values the privacy of its Guests and other individuals, therefore, the Data Controller does not provide Personal Data to other persons without the Data Subject’s consent, except for the following persons:

  1. in the event of a dispute – to persons providing legal services to the Data Controller;
  2. auditors, other consultants;
  3. engaged data processors, such as, for example: an accounting service company, marketing service providers, an IT service company, security, personnel service companies, etc.;
  4. payment service providers (banks, credit institutions, payment initiation service providers, etc.);
  5. state institutions, law enforcement agencies and other persons in accordance with the procedure established by legal acts;
  6. insurance companies.

CHAPTER VI
TERMS OF PERSONAL DATA STORAGE

  1. Personal data is processed for no longer than is necessary to achieve the purposes of data processing or no longer than required by the Data Subjects and/or provided for by applicable legal acts.
  2. If the personal data storage period established in legal acts changes, the Data Controller will store the personal data provided by the Data Subject (collected by the Data Controller) for a specific personal data processing purpose for the period established by law.
  3. As of the date of approval of this Privacy Policy, the personal data provided by the Guest in the Guest registration card is stored for 5 (five) years from the date of the Data Subject’s reservation. The storage period is determined in accordance with the Tourism Law of the Republic of Lithuania, as well as the description of the procedure for registering accommodated members of member states and citizens of other countries approved on the basis of this law, and the 5 (five) year storage period for completed registration cards established therein. 
  4. The Data Controller usually processes the data during the conclusion, execution of the contract, provision of services and for 10 years from the termination of the contract, provision of services or the end of the relationship, fulfilling the requirements established in legal acts related to document archiving and in order to make, execute or defend the Data Controller’s legal claims.
  5. The data provided by candidates for selection for a specific job offered by the Hotel is processed and stored during the selection period. After the specific selection is completed, when an employment contract is not concluded with the candidate, the candidates’ Personal Data, after receiving the candidate’s consent, is stored for 1 (one) year or until the Data Subject revokes the given consent for data processing.
  6. If the Data Subject revokes the consent for data processing or the data processing period expires (when the data is processed on the basis of the Data Subject’s consent), in this case, only the data confirming the fact of the Data Subject’s consent is stored, but no longer than 2 (two) years from the end of the consent period or the revocation of the consent in order to make, execute or defend the Data Controller’s legal claims.

CHAPTER VII
RIGHTS OF DATA SUBJECTS RELATED TO PERSONAL DATA

The Data Subject may exercise his/her rights by personally visiting the Hotel administration or by sending a request signed with an electronic signature to the contacts specified in Chapter X of this Privacy Policy. The Data Controller provides an appropriate response and/or records and does so in any case no later than 1 month from the date of receipt of the request. The Data Controller provides confirmation of what actions were taken in response to the Data Subject’s request or informs if it cannot fulfill any specific request and states the reasons for such a decision. The Data Controller has the right to reject requests that are unreasonably repetitive, excessive or clearly unfounded, or to apply an adequate fee for such requests. At the request of the Data Subject, information may be provided orally, by allowing access to the document, by providing a certificate, an extract from the document or a paper copy of the document, an electronic medium, or access to the information file. If the person does not specify the form of information provision in his/her request, the information is provided to him/her in the same form as the request was received. It is noted that the rights of data subjects are not absolute and may be restricted in accordance with the procedure established by the legal acts of the Republic of Lithuania, under the conditions set out in Article 23 of the GDPR.  

  1. RIGHT TO WITHDRAW CONSENT. The Data Subject may at any time withdraw his/her consent to allow the processing of his/her personal data, without incurring any costs and without affecting the lawfulness of the data processing based on this consent before its withdrawal. Upon withdrawal of consent, the Data Controller suspends the activities and services related to this consent.
  2. RIGHT TO ACCESS PERSONAL DATA. The Data Subject has the right to obtain from the Data Controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. The Data Controller, upon request, shall provide the Data Subject with a copy of the personal data undergoing processing. The right to obtain a copy shall not adversely affect the rights and freedoms of others.  
  3. RIGHT TO RECTIFICATION. The Data Subject shall have the right to obtain from the Data Controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.  
  4. RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”). The Data Subject shall have the right to obtain from the Data Controller the erasure of personal data concerning him or her without undue delay and the Data Controller shall have the obligation to erase personal data without undue delay if one of the grounds provided for in the GDPR applies. The Data Controller has the right to refuse to grant the Data Subject’s request in cases established by legal acts, including, but not limited to, the cases referred to in Article 17(3) of the GDPR. This right may also not be exercised if the Data Controller is obliged to store the personal data in accordance with laws or other legal grounds.  
  5. RIGHT TO RESTRICTION OF PROCESSING. The Data Subject may have the right to restrict the processing of Personal Data where one of the following applies: the Data Subject contests the accuracy of the Personal Data; the processing is unlawful and the Data Subject opposes the erasure of the Personal Data and requests the restriction of their use instead; the Data Controller no longer needs the Personal Data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defense of legal claims; or the Data Subject has objected to processing pursuant to his or her legitimate interests. Where the Data Subject has obtained restriction of processing, such personal data shall, with the exception of storage, only be processed with the Data Subject’s consent or for the establishment, exercise or defense of legal claims or to protect the rights of another natural or legal person or for reasons of important public interest.  
  6. RIGHT TO DATA PORTABILITY. The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller, where the processing is based on consent or on a contract and the processing is carried out by automated means. In exercising his or her right to data portability, the Data Subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The aforementioned right shall not adversely affect the rights and freedoms of others.  
  7. RIGHT TO OBJECT. The Data Controller, in carrying out its activities, processes some of the Data Subjects’ personal information on the basis of legitimate interests. In doing so, the Data Controller ensures that such data processing does not violate the Data Subject’s personal information protection requirements. The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (f) of Article 6(1), including profiling based on those provisions. The Data Controller shall no longer process the personal data unless the Data Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defense of legal claims.  
  8. RIGHT NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING, INCLUDING PROFILING. The Data Subject shall have the right to know and be informed of the logic involved in the automated processing of Personal Data and what the possible consequences of such Personal Data processing might be, where the data is processed solely by automated means. Where the Data Subject requests the review of an automated decision (if such decisions are made by the Data Controller in respect of the Data Subject), the Data Controller shall carry out a comprehensive assessment of all relevant data, including information provided by the Data Subject.  
  9. RIGHT TO LODGE A COMPLAINT OR INQUIRY. If the Data Subject believes that the Data Controller, when processing the Data Subject’s personal data, does not comply with the requirements of the GDPR or applicable laws of the Republic of Lithuania, the Data Subject may lodge a complaint with the supervisory authority. In Lithuania, such issues are supervised by the State Data Protection Inspectorate (ada.lt).

CHAPTER VIII
PROCEDURE FOR CONTACTING THE COMPANY REGARDING THE EXERCISE OF THE DATA SUBJECT’S RIGHTS

  1. To apply for the exercise of the Data Subject’s rights, the Data Subject has the right to do so orally or in writing, by submitting a request in person, by mail or electronically to the contacts specified in this Privacy Policy. The request to exercise the Data Subject’s rights must be legible, signed, and must include the name, surname, address and/or other contact information of the person submitting the request for communication or by which it is desired to receive a response regarding the exercise of the Data Subject’s rights.  
  2. When contacting the Data Controller regarding the exercise of the Data Subject’s rights, the Data Subject must confirm his/her If this is not done, the Data Controller will not be able to accept the Data Subject’s requests and the Data Subject’s rights will not be exercised. This provision does not apply if the contact is regarding information about personal data processing in accordance with Articles 13 and 14 of the GDPR.  
  3. If, regarding the exercise of the Data Subject’s rights, the person decides to contact the Data Controller in person, the Data Subject must submit his/her identity document to the Data Controller. If, regarding the exercise of the Data Subject’s rights, the person decides to contact the Data Controller in writing, by submitting a request by mail, the Data Subject will also have to come to the Hotel administration and submit his/her identity document to the Data Controller or confirm his/her identity in another agreed manner. If the person decides to submit a request electronically, the request must be signed with a qualified electronic signature. This provision does not apply if the person contacts regarding information about personal data processing in accordance with Articles 13 and 14 of the GDPR. 
  4. If the Data Controller has any doubts about the identity of the person submitting the request, the Data Controller has the right to request additional information necessary to verify it.

CHAPTER IX
PERSONAL DATA PROTECTION BREACH RISK FACTORS AND THEIR SOLUTIONS

In order to ensure adequate Personal Data protection, the Data Controller implements the following organizational and technical Personal Data protection measures: 

Organizational:
1.1. The Data Controller organizes the work procedure in such a way as to ensure the secure handling and (if applicable) transmission of computer data and/or documents and their archives;
1.2. Access to the Data Subject’s Personal Data is granted only to those Employees who need it to perform their job functions and only to those who have signed confidentiality agreements and are familiar with other internal procedures within the scope of Personal Data processing.

Technical:
2.1. The Data Processors (service providers) appointed by the Data Controller operate only under the Data Controller’s authorization;
2.2. Personal data is protected from loss, unauthorized use and alteration. The internet connection is encrypted, and the Hotel’s website is run over the https:// protocol;
2.3. Protection of computer equipment against malicious software is ensured (e.g., installation, updating of antivirus programs), and the internal computer network is protected by a firewall.

CHAPTER X
CONTACT INFORMATION

Contact information for comments, requests or questions regarding personal data processing: 

Park Hotel Šiauliai 
Address: S. Lukauskio str. 5A, 76236 Šiauliai
Phone: +370 600 13112
e-mail: info@parkhotelsiauliai.lt